Making sure Security as a Service delivers total protection.

Greg Day argues that Security as a Service enables SMBs to have good protection without breaking the budget.

Not too many years ago I visited an SMB client to discuss his security requirements. We had a long discussion about his business, the vital importance of his website, email and IT systems, and his commitment to security. He showed me a shelf full of boxed products, everything from internet security suites, update programmes and firewalls, to anti-virus, anti-spam and wireless protection CDs. "If we have a breach," he announced proudly, "we have the software to sort it out".

The problem, he later admitted, was that while had spent a huge amount of his already limited IT budget on these point security solutions, most were still in the box. He had simply not had the time or the internal resource to install the CDs, and was currently relying on the default settings on his PC hardware to protect the business.

While this may seem like an extreme example, similar scenarios could be seen right across the SMB sector.

Fast forward to today and, according to a new report into the security perceptions of small to medium sized businesses, the landscape may not look as dramatically different as one may have assumed. Commissioned by McAfee, the Does Size Matter? The Security Challenge of the SMB report highlights outdated attitudes towards security still threaten the very life of millions of European businesses.

But help is at hand in the form of a new breed of hosted security solutions. We are already seeing small to medium sized organisations investing heavily in a range of managed IT services, driven by a need to reduce management time and cost. But crucially, outsourcing also provides the opportunity to take advantage of expertise unavailable within the organisation.

Coined 'security as a service', managed security packages are fast becoming one of the most popular outsource options for SMBs. Such offerings provide the ideal platform for those millions of businesses who have neither the time nor the dedicated IT staff to ensure complete protection.

And there is no doubt that a comprehensive security portfolio is now critical in today's connected world. The simple fact is that 1 in 5 SMBs have been attacked this year alone - equivalent to nearly four million firms across Europe. And this is just the tip of the iceberg, as potentially millions of breaches go undetected.

Yesterday's hackers have become today's cyber criminals. Driven by a virulent and lucrative black market in stolen company and personal data, this new breed of criminal is no longer interested in causing chaos by crashing websites and servers. Now the focus is on keeping systems online while they harvest a vast array of business and financial data without interruption or detection.

So, faced with such insidious threats, security must be a priority. But the harsh reality is that it would be logical to assume that security is a priority limited financial and personnel resources in the SMB space continue to impact the effectiveness of internal and external controls. According to the research, on average, SMB's across Europe only spend one hour per week on proactive security management. Typically, these organisations do not have in-house IT personnel, and the company secretary or office managers often find themselves with the major task of ensuring corporate security.

The old adage that 'IT security is only as good as the last update' remains true. But many businesses, through naivete or time pressure, fall at this first hurdle. While they may have deployed anti-virus software, many hundreds of thousands of firms are still open to attack from new worms and phishing scams simply because they are not continually patching the holes created by these increasingly sophisticated viruses.

One of the more significant benefits of these hosted 'security as a service' offerings is that responsibility for continuous updating and patching is given to a trusted and capable third party - giving business owners the peace of mind of an up-to-date protection system.

But there is also a perception gap here in IT security that must be addressed. 90% of businesses feel adequately protected, and only 18% fear a business-ending attack. Like our friend of several years ago, this is largely because of misplaced trust in the default security settings of IT equipment. Simply 'defaulting to defaults' is incredibly dangerous. These settings are as freely available to cyber criminals as they are to managing directors, so it doesn't take long before the codes are cracked and the business' IT hardware and systems are infiltrated.

High profile attacks against large organisations are becoming less frequent - being easier to detect and prevent. Stealth attacks, on the other hand, that quietly infiltrates systems of smaller firms who lack the right protection, are on the increase. Not only is the information incredibly valuable - a company's own payroll data, complete with addresses and national insurance numbers, for example - but the criminal does not have to navigate the complex security systems of the global corporation. Better still, if the SMB has an e-commerce website, customer address and credit card details can be easily found, stolen and fraudulently used. Such an attack has wide-ranging consequences for the business and crucially, its reputation in the market.

Despite the onerous implications of a serious security breach, it is unrealistic to expect small to medium sized businesses to allocate vast time resources or have the in-house expertise to deal with an increasing array of threats. Yet on the other hand, only spending one hour per week on managing security, and that job often being relegated to a junior employee, is recipe for disaster. Which is precisely why the market is seeing increasing enthusiasm for these hosted security packages.

Such all-in-one security services, like the McAfee Total Protection for Small Business package, provide a fully managed service, integrating a host of stand-alone security products to block spam, viruses and spyware while protecting the SMBs' desktops, laptops and servers from identity thieves. Such solutions feature central management consoles for complete visibility of all security events, while more advanced versions will scan, filter and clean emails from spam, phishing and viruses. Essentially, they guarantee security against a fast moving and increasingly organised enemy, determined to break into your network.

The SMB space will increasingly become a target for cyber crime. The black market value of personal data is growing at an alarming rate and the larger firms, with extensive budgets and large in-house security teams, are employing ever more sophisticated and successful prevention strategies. This is focusing attacks onto smaller businesses that, in many cases, are unaware of, and lack the resources to deal with the threat.

But the criminals do not have it all their own way. By effectively outsourcing to a global security expert, SMBs can, with a minimal budget, achieve the level of security protection typically afforded to organisations many times their size.

Greg Day is McAfee International's EMEA Security Analyst.

McAfee International is exhibiting at Infosecurity Europe 2008, Europe's number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products and services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.